Mobile Threat Monday: On Android, Remote Control App Controls You!

This week, F-Secure tips us to remote control app that claims it lets you control your TV from your Android. What it's actually doing is stealing your money.

One of the big messages we try to drive home in our Mobile Threat Monday features is that the Google Play store is safer than third-party app stores. But "safer" does not mean that it's safe all the time. First detected by Palo Alto Networks and further examined by F-Secure, the "Funtasy" remote control app for Android sneakily signs you up for pricey SMS messages that can cost you real money. It, and 17 other identical Trojan apps, were bouncing around the appstore for several weeks.

Funtasy Remote Control The "funtasy" remote control app was reportedly available in the Google Play store from late April until early May, but managed to snag between 10,000 and 50,000 downloads in that short time. Unlike most Trojans, Funtasy did not even work as advertised, netting it some very negative reviews.

Interestingly, the scammers included language in the app's terms of service that actually outlines the scam. Of course, this only appears after you've installed the app. The TOS says that by using the app, the user agrees to receive 10 SMS messages per week at around $1.99 per message. That seems all fair and above-board, but the victim actually has no choice in the matter because the Trojan is already at work.

While victims (might be) reading the TOS, the Trojan is quietly determining whether the infected phone is on a Spanish wireless network. That's because the premium numbers that the scammers use to make money off Trojan infections only work in certain geographic areas.

Once the Trojan has obtained your phone number and confirmed the network, it signs you up to receive premium SMS messages. The premium SMS service then sends a confirmation message. Under normal circumstances, you could reject the message and cancel the subscription. But the Trojan is too clever. It suppresses the SMS and automatically confirms on your behalf. It also suppresses the premium messages as they arrive, so you wouldn't notice any activity until you went to pay your bill.

In their analysis, F-Secure discovered that the Trojan has several nefarious tools at its disposal. For example, it can scrape your phone number from your WhatsApp account, and can even decrypt your WhatsApp database files.

Stay Safe Sadly, this wasn't just one app in Google Play. Palo Alto Networks detected 18 apps with the exact same behavior. The security company estimated that there could be as many as 67,000 infections, potentially netting the scammer up to 2 million Euros a month (or $2.7M USD), though that is probably a very, very generous estimate. The good news is that at least the remote control app featured here was removed from the store.

We strongly recommend installing security software onto your Android, such as Editors' Choice winners Bitdefender Mobile Security and Antivirus and avast! Mobile Security & Antivirus. That said, common sense should be your first line of defense. The Google Play store is generally very safe but it's not 100 percent safe. That's where common sense comes in: investigate every app you download and carefully consider if the permissions an app requests make sense before you hit install.

"Common sense is the best defense against these types of abusive programs," wrote Palo Alto Networks. "While many users breeze past the list of permissions required when installing new apps, readers of this blog should ask themselves, 'Does my electronic bible need to read my SMS messages?'"

Max Eddy is a Software Analyst, taking a critical eye to Android apps and security services. He's also PCMag's foremost authority on weather stations and digital scrapbooking software. When not polishing his tinfoil hat or plumbing the depths of the Dark Web, he can be found working to discern the 100 Best Android Apps.
Prior to PCMag, Max wrote for the International Digital Times, The International Science Times, and The Mary Sue. He has also been known to write for Geek.com. You can follow him on...
More »